From bdabdf0f4225b706e2688c86ca318a2ce21903d6 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 5 Apr 2022 09:53:22 -0700 Subject: [PATCH] Update comment in FederationDomainTLSSpec --- .../config/v1alpha1/types_federationdomain.go.tmpl | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ generated/1.17/README.adoc | 2 +- .../config/v1alpha1/types_federationdomain.go | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ generated/1.18/README.adoc | 2 +- .../config/v1alpha1/types_federationdomain.go | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ generated/1.19/README.adoc | 2 +- .../config/v1alpha1/types_federationdomain.go | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ generated/1.20/README.adoc | 2 +- .../config/v1alpha1/types_federationdomain.go | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ generated/1.21/README.adoc | 2 +- .../config/v1alpha1/types_federationdomain.go | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ generated/1.22/README.adoc | 2 +- .../config/v1alpha1/types_federationdomain.go | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ generated/1.23/README.adoc | 2 +- .../config/v1alpha1/types_federationdomain.go | 5 +++-- ...g.supervisor.pinniped.dev_federationdomains.yaml | 13 +++++++------ .../config/v1alpha1/types_federationdomain.go | 5 +++-- 24 files changed, 90 insertions(+), 73 deletions(-) diff --git a/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl b/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl index e92303a9..27de4401 100644 --- a/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl +++ b/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index c9a9b07e..9efe8a67 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. - SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/generated/1.17/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/generated/1.17/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index fce0e2ba..f6ecc0f5 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. - SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/generated/1.18/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/generated/1.18/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index b2ac07a4..197ed326 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. - SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/generated/1.19/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/generated/1.19/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 9bf80a58..8ad43876 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. - SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.20/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.20/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/1.20/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/1.20/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/generated/1.20/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.20/crds/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/generated/1.20/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.20/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index d0c24b66..6abd6c4b 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. - SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.21/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.21/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/1.21/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index ae5b4564..46e9a2e5 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. - SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.22/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.22/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/1.22/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index b341bc4a..9d67cb25 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. - SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. |=== diff --git a/generated/1.23/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.23/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/1.23/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml index c9f969a3..71f7370d 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -76,12 +76,13 @@ spec: so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when terminating TLS at an Ingress). It - is also not required when you would like all requests to this - OIDC Provider's HTTPS endpoints to use the default TLS certificate, - which is configured elsewhere. \n When your Issuer URL's host - is an IP address, then this field is ignored. SNI does not work - for IP addresses." + HTTP endpoints (e.g. when the HTTP listener is configured to + listen on loopback interfaces or UNIX domain sockets for traffic + from a service mesh sidecar). It is also not required when you + would like all requests to this OIDC Provider's HTTPS endpoints + to use the default TLS certificate, which is configured elsewhere. + \n When your Issuer URL's host is an IP address, then this field + is ignored. SNI does not work for IP addresses." type: string type: object required: diff --git a/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go index e92303a9..27de4401 100644 --- a/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go +++ b/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct { // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same // SecretName value even if they have different port numbers. // - // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an - // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to // use the default TLS certificate, which is configured elsewhere. // // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.